Re: Linux audit performance impact
On Wed, Feb 18, 2015 at 5:32 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 15/02/18, Paul Moore wrote:
> I would imagine a scenario where we introduced the new format in stages:
>
> #1 - Move in-kernel audit record string generation completely into
> kernel/audit*.c. Benefits everyone regardless of the audit format.
Ok.
> #2 - Introduce a versioned audit API. The most difficult step for
> obvious reasons.
That infrastructure should already be in place. We just converted over
the version field to a bitfield listing the availability of features.
An initial call can be made to find out if it is supported, then use the
feature switching bitfield to enable it. We could alternately make a
different unicast socket available signalling its availability.
Some of the most basic parts of a versioned API are present, but there
are *big* chunks missing.
> #3 - Deprecate the old/existing audit record format, make it a
Kconfig
> option that defaults to off and emit a warning when the old formatting
> is used. This will be a year, and most likely more, after step #2.
>
> #4 - Remove the old/existing audit record code. Once again, this
> would happen a couple of years after step #3.
I suspect in practice stesp #3 and #4 could take a lot longer.
You may be right, I consider the times above as minimums. However,
I'm not completely shutting the door on moving things along sooner; I
don't think we have a ton of users. We'll find out.
--
paul moore
www.paul-moore.com